| 01:31:58 | bigpup3: | bigpup3 has left #bitcoin-wizards |
| 03:10:02 | bliljerk_: | bliljerk_ is now known as bliljerk101 |
| 03:13:51 | PRab_: | PRab_ is now known as PRab |
| 03:25:20 | fanquake_: | fanquake_ is now known as fanquake |
| 06:33:23 | LarsLarsen: | LarsLarsen has left #bitcoin-wizards |
| 08:00:25 | fanquake_: | fanquake_ is now known as fanquake |
| 08:05:15 | wolfe.freenode.net: | topic is: This channel is not about short-term Bitcoin development | http://bitcoin.ninja/ | This channel is logged. | For logs and more information, visit http://bitcoin.ninja |
| 08:05:15 | wolfe.freenode.net: | Users on #bitcoin-wizards: andy-logbot fanquake arubi p15x RoboTeddy jaekwon lclc b_lumenkraft hktud0 wallet42 p15 moa coiner Transisto [7] PaulCapestany bliljerk101 copumpkin bsm117532 adam3us mkarrer Dr-G dc17523b13 d1ggy_ koshii x98gvyn heath shesek spinza dignork AnotherVogon orik mengine_ Luke-Jr Adlai waxwing rustyn STRML pigeons GAit Starduster nsh samson_ sipa SDCDev xerox Emcy_ alferz justanotheruser Logicwax thrasher` harrow` huseby Pan0ram1x cluckj jgarzik |
| 08:05:15 | wolfe.freenode.net: | Users on #bitcoin-wizards: GreenIsMyPepper dgenr8 SubCreative forrestv lmacken JustAnotherVogon HM luny ryanxcharles grandmaster Xzibit17 hguux__ michagogo yrashk mariorz crowleyman gribble yoleaux deepcore go1111111 ebfull ajweiss pollux-bts espes__ melvster devrandom JonTitor null bedeho kyletorpey andytoshi amiller sl01 LeMiner binaryatrocity antgreen Cory airbreather gavinandresen cornus_ammonis kefkius maaku sneak SwedFTP aakselrod EasyAt larraboj gmaxwell |
| 08:05:15 | wolfe.freenode.net: | Users on #bitcoin-wizards: midnightmagic lnovy Iriez bosma face jonasschnelli berndj gabridome s1w Apocalyptic DoctorBTC AdrianG roasbeef jcorgan Tiraspol [d__d] kyuupichan NikolaiToryzin ahmed__ zz_betarigs_admi Visheate phedny yorick petertodd kanzure catcow Muis cfields Zouppen coryfields_ cryptowest_ kinlo crescendo wizkid057 otoburb wumpus phantomcircuit BlueMatt jaromil gwillen dasource fenn tromp eordano nickler Alanius BananaLotus guruvan ryan-c sdaftuar helo |
| 08:05:15 | wolfe.freenode.net: | Users on #bitcoin-wizards: Hunger- runeks null_radix epscy nanotube starsoccer comboy Taek BrainOverfl0w so MRL-Relay azariah btc___ throughnothing @ChanServ brand0 davout NeatBasis mr_burdell d9b4bef9 a5m0 Anduck CryptOprah leakypat TD-Linux K1773R indolering warptangent veox Eliel Graet jessepollak lechuga_ warren gnusha wiz jbenet mappum eric catlasshrugged Keefe Oizopower platinuum Krellan kumavis artifexd smooth isis dardasaba Fistful_of_Coins morcos dansmith_btc |
| 08:05:15 | wolfe.freenode.net: | Users on #bitcoin-wizards: cursive Meeh fluffypony optimator livegnik |
| 11:08:16 | alliesenbub: | alliesenbub has left #bitcoin-wizards |
| 11:09:04 | crowleyman: | crowleyman is now known as crwlymn |
| 11:10:01 | alliesenbub: | alliesenbub has left #bitcoin-wizards |
| 12:59:26 | waxwing__: | waxwing__ is now known as waxwing |
| 13:15:57 | fanquake: | fanquake has left #bitcoin-wizards |
| 13:41:47 | crwlymn: | crwlymn is now known as crowleyman |
| 15:51:01 | waxwing__: | waxwing__ is now known as waxwing |
| 16:49:59 | gmaxwell: | Heh: thermal sidechannels, http://www.wired.com/2015/03/stealing-data-computers-using-heat/ |
| 16:52:10 | kanzure: | in practice i imagine that ends up like http://i57.servimg.com/u/f57/15/08/47/58/28310510.jpg |
| 16:55:29 | Adlai: | this isn't really 'sidechannel' in the same sense as a timing attacks... just another way of communicating between already compromised systems |
| 16:56:49 | Adlai: | the receiving computer can't detect anything that's not intentionally broadcast from the transmitter |
| 16:58:04 | gmaxwell: | Adlai: there is still actually a sidechannel there (it's just low enough capacity that its unlikely to be useful except intentionally). |
| 16:59:32 | fluffypony: | for those who've poked around with Darkcoin, did I miss anything major? http://www.reddit.com/r/Bitcoin/comments/2zufu1/a_great_podcast_by_lets_talk_bitcoin_discussing/cpmvogy?context=3 |
| 17:00:28 | fluffypony: | (also my favourite comment in that thread is this one: "Maybe Bitcoin could implement some of the features, learn from what DRK is doing" - http://www.reddit.com/r/Bitcoin/comments/2zufu1/a_great_podcast_by_lets_talk_bitcoin_discussing/cpmxf62) |
| 17:01:37 | gmaxwell: | fluffypony: ask brisque when he's on, he knows more than most. |
| 17:01:42 | fluffypony: | kk |
| 17:19:05 | rustyn_: | rustyn_ is now known as rustyn |
| 17:22:44 | dabura667: | argh, I am going insane. |
| 17:22:56 | fluffypony: | * fluffypony sends dabura667 to a shrink |
| 17:23:07 | dabura667: | Anyone willing to look over my crappy BIP32 implementation in Python? |
| 17:23:38 | dabura667: | I can initialize ok, but deriving gives me incorrect values, and afaik I am throwing the right values into the hmac |
| 17:23:51 | dabura667: | but the correct privkey doesn't come out of the hmac |
| 17:24:06 | sipa: | the outout of the hmac is not the key |
| 17:24:14 | dabura667: | I know |
| 17:24:18 | dabura667: | the left 32 bits |
| 17:24:22 | dabura667: | bytes |
| 17:24:28 | dabura667: | oh wait |
| 17:24:32 | dabura667: | OHHH YEAH |
| 17:24:35 | dabura667: | d'oh |
| 17:24:39 | sipa: | you still need to add the parent privkey |
| 17:24:40 | dabura667: | thanks for reminding me |
| 17:24:58 | dabura667: | I was going insane here. I knew it was something stupid like that. thanks. |
| 17:28:50 | andytoshi: | dabura667: fyi, in future, #bitcoin-dev is a better channel for implementation questions |
| 17:29:26 | dabura667: | ok thanks, I was under the impression it was only Core related |
| 17:29:46 | dabura667: | made a mental note |
| 18:37:58 | fluffypony: | http://eprint.iacr.org/2015/263.pdf |
| 18:39:43 | nubbins`: | fluffypony: dat misspelling of Colombia |
| 18:42:37 | fluffypony: | lol nubbins` I didn't even catch that |
| 18:52:58 | MRL-Relay: | [tacotime] this sounds a lot like the known sybil attacks |
| 18:53:07 | MRL-Relay: | [tacotime] thought it's neat that they quantitize them |
| 19:05:00 | gmaxwell: | gmaxwell is now known as Guest67686 |
| 21:06:42 | sipa: | petertodd: until when are you in sf? |
| 21:22:17 | Guest67686: | Guest67686 is now known as gmaxwell |
| 21:32:58 | fluffypony: | lol andytoshi, now Reddit wants to know if we can implement adam3us' scheme now, like in the next week |
| 21:32:59 | fluffypony: | gogogo |
| 21:33:19 | sipa: | which scheme? |
| 21:33:37 | fluffypony: | sipa: https://bitcointalk.org/index.php?topic=972541.0 |
| 21:34:48 | MRL-Relay: | [tacotime] what? why? it's nice but it's still O(n) |
| 21:36:17 | fluffypony: | tacotime: because logic. Remember that whole hoopla with the Microsoft Research paper on ring sigs? Every altcoin was going to implement "Chandran Signatures" and this would automagically make Monero meaningless |
| 21:36:39 | sipa: | altcoins? implement? |
| 21:37:00 | MRL-Relay: | [tacotime] well... i mean, pretty zany things are recommended by the general public for bitcoins each day in r/bitcoin, most of which are insane or not very useful. |
| 21:37:13 | MRL-Relay: | [tacotime] heh. |
| 21:38:48 | fluffypony: | sipa: this thing - https://www.stealth-coin.com/wp-content/uploads/Stealthsend_Whitepaper_brief0914.pdf |
| 21:39:06 | fluffypony: | they have an entire page on Chandran signatures |
| 21:39:40 | fluffypony: | they quickly backtracked on the idea after andytoshi and gmaxwell discussed it here |
| 21:40:04 | fluffypony: | hilarity ensued |
| 22:10:30 | adam3us: | bbut its O(n) instead of O(2n) :) |
| 22:15:16 | andytoshi: | fluffypony: lol, oh well. sometimes reddit pattern-matches to useful related research.. |
| 22:20:56 | adam3us: | fluffypony: i had looked at the chandran et al paper. problem i have is its based on weil pairing and maybe some other assumptions. in the direction of but not as far as snark novel construction risk |
| 22:23:14 | fluffypony: | and it requires a trusted setup |
| 22:23:46 | fluffypony: | plus the verification time would be horrendous (it's bad enough in Monero as it is) |
| 22:24:27 | gmaxwell: | the verification time was linear in the ring size, IIRC. |
| 22:25:30 | gmaxwell: | fluffypony: I dunno if its changed but the implementation in monero I think was pretty performance braindamaged before. |
| 22:25:52 | andytoshi: | how practical (and plausibly secure) are zk accumulators? |
| 22:26:18 | fluffypony: | gmaxwell: nothing's changed, we still sigverify on one thread because logic |
| 22:26:48 | fluffypony: | * fluffypony sighs at the bits of the codebase nobody wants to touch |
| 22:26:58 | adam3us: | gmaxwell: that (verification time O(n) ) maybe hard to avoid short of snarks. it seems to me that you need to admit the possibility with fresh pseudo randomness that any signer could've signed and to prevent existential forgery so you need to bind all those values together so that there is at least one non-existential forgery |
| 22:28:58 | gmaxwell: | the forgery needs only be computationally infeasable though... so it's not obvious to me that the O(n) can't fundimentally be amoritized (and indeed the snark over a hash tree proof does that). |
| 22:33:27 | adam3us: | gmaxwell: yeah maybe. just not with the ideas i explored so far :) my criteria were to avoid any novel crypto though so thats constraining perhaps. |
| 22:44:03 | amiller: | andytoshi, by zk accumulators, you mean the RSA ones that zerocoin uses? |
| 22:44:28 | andytoshi: | amiller: yeah, a quick search suggests there aren't others out there |
| 22:45:09 | amiller: | there are, there are a) accumulators from generic snarks like zerocash uses, there are b) ones using bilinear groups but they have kind of worse setup costs |
| 22:46:06 | andytoshi: | oh ok, i saw "strong RSA" in the title and thought they might've been number theoretic :/ |
| 22:46:28 | petertodd: | sipa: friday for sure, but maybe sooner - don't know yet |
| 22:46:47 | sipa: | ah, i'm coming to sf on wednesday |
| 22:46:53 | amiller: | andytoshi, i mean there are at least three kinds of accumulators, a) like in zerocash, b) using bilinear groups, c) like in zerocoin |
| 22:47:00 | amiller: | the last one is based on strong RSA assumption |
| 22:47:06 | petertodd: | sipa: cool, that's a maybe - not sure I'm in sf wed/thu/fri yet |
| 22:47:40 | gmaxwell: | andytoshi: the rsa like ones in theory can work in any additive cyclic group group with unknown order. |
| 22:50:09 | amiller: | andytoshi, this is the main citation for the RSA one, which zerocoin basically uses in tact http://link.springer.com/chapter/10.1007/3-540-45708-9_5#page-1 |
| 22:51:09 | amiller: | gmaxwell, that surprises me, you can do some kinds of zero knowledge proofs in cyclic group groups with unknown order but not everything you need for a zk accumulator.. |
| 22:51:23 | andytoshi: | ok, thx for the help guys. my usecase fell apart when i looked at it too closely but i'll keep this in mind.. |
| 22:55:45 | adam3us: | speaking of RSA accumulators this shoup et al paper http://www.shoup.net/papers/subring.pdf has fixed size ring signature based on some small extension to the benaloh accumulator. but its not linkable. |
| 22:58:21 | gmaxwell: | amiller: could just be confirmation bias on my part. I don't off the top of my head have an argument to support that claim in a strong sense; but it was my cached result. |
| 22:59:41 | amiller: | gmaxwell, okay. the rsa accumulator is a little wonky, like you can only accumulate prime numbers |
| 23:00:14 | amiller: | zerocoin gets around that by just redrawing commitments over and over again until the commitment value iteslf is literally a prime number |
| 23:00:33 | gmaxwell: | yea, well you're trying to show knoweldge of a N-th root. |